Ask HN: What is the best password manager available today?

30 pointsdijondreams2y ago72 comments

I am afraid of a private company being responsible for my passwords but also not confident in my own ability to manage any sort of password manager across all my devices. What do people do?

72 comments

mikece2y ago

For cloud-synched across devices: BitWarden.

For maximum security (no cloud sync): KeePassXC

In both cases an essential feature applies: if you forget your master password you've lost access to your password database.

autoexec2y ago

I've used KeePass for ages and every time another password manager comes up in the headlines it's only ever made me feel more confident about that decision. Zero games, no cloud/other party to be dependent on, and I have total freedom to implement whatever backup/sync methods work best for my situation.

mikece2y ago

KeePass is not KeePassXC. The former is written in .NET, the latter in C++; numerous open source audits have shown that KeePassXC is far and away more secure than KeePass. Not to mention that cross-platform performance for KeePassXC is superior.

3 more replies

DreamFlasher2y ago

You could sync the KeePassXC database with Syncthing, to have e2e encrypted sync across devices, fully open source and without servers.

bhu1st2y ago

I feel safe using KeePass. Its hotkey auto-fills most of the time. You can regularly sync/backup the database to cloud.

hayst4ck2y ago

KeePass seems to sync via a preferred cloud provider fine.

mikece2y ago

You can sync a KeePassXC database using a provider like Google Drive/iCloud/Dropbox/etc but that's not a feature of KeePassXC, it's you doing semi-manual cloud synch.

number62y ago

Use Vaultwarden and self host the backend

palata2y ago

This ^

1 more reply

doodlesdev2y ago

So, please define best, because it depends on what you're looking for. A list of the options I know and would personally recommend:

Bitwarden (optionally with self-hosted Vaultwarden) - Best UX for the FOSS options, syncs all your devices, overall just pretty good.

   Website: https://bitwarden.com/
   Vaultwarden: https://github.com/dani-garcia/vaultwarden

KeepassXC (optionally synced with syncthing or your cloud provider of choice) - Portable, no need to host a server to keep the database, offline-first. Database format is standardized, and other password managers support the database format.

   Desktop: https://keepassxc.org/
   Android: https://www.keepassdx.com/
   iOS: https://strongboxsafe.com/
   Syncthing: https://syncthing.net/

pass, if you're always on the terminal. (optionally synced with syncthing or any cloud provider). Or you can go with gopass, which uses the same database format, has better support for multiple users/stores, and enables git versioning by default. There are GUI and mobile clients available that are compatible with this database format.

   pass: https://www.passwordstore.org/
   gopass: https://www.gopass.pw/

These are the main ones I would recommend you take a look at for the most common use-cases. I can't recommend anything that doesn't provide FOSS clients or that can't be self-hosted, so some decent options UX-wise were excluded. You really have to see what you want out of the password manager to choose one. Keep in mind that for both pass and keepass there are multiple clients that are compatible with the database format, that affords you with more portability, options, and the possibility of having native clients.

xarope2y ago

I'd echo what others say, KeePassXC on local storage, which you can then sync across devices either with syncthing, dropbox etc.

However, I have just started exploring using vaultwarden (a rust rewrite of bitwarden, which is self-hosted).

DreamFlasher2y ago

I am very happy with my vaultwarden setup, but if you don't run your own server, you don't want to, KeePassXC + syncthing is probably the best you can do.

zmmmmm2y ago

Unix pass [0]

[0] https://www.passwordstore.org/

zmmmmm2y ago

Fwiw, the biggest downside of it is multiple user functionality.

It's doable, but you have to import the public gpg key of everybody who needs to access the secrets. Effectively, every secret ends up encrypted with the public key of every user who needs access - not sure how scalable it would be if you have more than a small team of people accessing it this way.

doodlesdev2y ago

For that you can go with gopass:

https://www.gopass.pw/

It has first-class support for multiple stores and it's 100% compatible with pass databases.

1 more reply

zdragnar2y ago

I love it on Linux, but has anyone else had it perform really poorly on macos? Last time I had a MacBook, it wasnt even close to the instantaneous speed of pass on Linux- more like seconds for every command.

zmmmmm2y ago

I use it intensively on Mac and not had that problem.

Since it interfaces with GPG I would suspect something to do with how your gpg configuration is set up (is it trying to talk to a gpg-agent or possibly a pin-entry program that is timing out or something like that). Intrinsically what it does is completely trivial in terms of compute etc.

Costanzilla2y ago

Back when 1password, 90% sure it was that, had no Linux client I was searching for a solution to store passwords and settled for Enpass.

I sync via WebDAV on my Synology NAS and I’m not really worried to lose anything since every synced device has a full copy of the data.

Thought about switching to 1password a few months back since we’re using it at work and the client is better but they don’t have an Enpass import. It supports some kind of CSV transfer but I don’t want to pay for a bunch of, worst case scenario, not really perfectly structured data so I decided to stick with what I have.

Edit: when thinking of switching I was a little nitpicky. I’m pretty happy with Enpass everything considered. 1p client is just even better but with the give them your data and your money thing, which I’m not necessarily fond of

zapatos2y ago

Enpass is like Keepass but with a better UX. Which is exactly what I wanted, and it hasn’t let me down on iOS + Linux, synced via Dropbox.

egamirorrim2y ago

Yes! Enpass is great, and I love that I can back it up to my own cloud instead of being forced into one cloud like with 1password

thealchemistdev2y ago

https://keepassxc.org/

"no-nonsense, ad-free, tracker-free, and cloud-free manner. Free and open source."

Pair with Syncthing to go across devices.

billy_bitchtits2y ago

1password

CharlesW2y ago

1Password is the best password manager I've used, and the family plan works great and is reasonably priced ($60/year). Unlike many folks who are cloud-averse, I prefer a cross-platform solution that syncs to the cloud, and I'm comfortable with their security model (https://support.1password.com/1password-security/).

It's worth noting that they really fubared the 1Password 8 transition and I was very irritated that they had me looking at alternatives. However, they gradually fixed the problems and missing features and now I'm 100% satisfied with it again.

xtiansimon2y ago

> “It's worth noting that they really fubared the 1Password 8 transition”

I’d never use 1Password again. While the software may be good when you try it, I’m sure they will ruin it at a later date. That was my experience. The company earned my enmity.

atmosx2y ago

This. Hands down.

The downside is that is cloud based.

hayst4ck2y ago

1Password is making choices for the business at the cost of security. Sucking people's password vaults into their cloud is very not cool. Additionally removing the local vault only option is another business first decision.

It's only a matter of time before 1Password has a real security problem because the business forces at 1Password appear to be much stronger than the engineering forces.

3 more replies

version_five2y ago

I have to agree. Been using it ~5 years with no issues. There may be application specific reasons some other manager is better, but for an easy to use and seemingly solid product, I'd recommend 1password.

0x0082y ago

1password has a great UI imo. and they now support ssh keys as well (albeit a bit strangely, but at least they do).

tdsanchez2y ago

I came here to say this.

I've used 1password for 16 years and it is SOLID.

xupybd2y ago

I use KeePass. I sync with Dropbox. I've not found a solution that competes on simplicity and ease of use.

margoguryan2y ago

Dashlane has never failed me once since 2017. I even got my family to do the family plan. It rocks.

doublerebel2y ago

Since 2014 for me, through multiple startups. Easiest way to maintain personal passwords and still allow role-based management by any business I am managing or working with, in the same program and login.

prezjordan2y ago

Only one that reliably auto-fills and saves generated passwords for me.

VoodooJuJu2y ago

pass, the standard unix password manager: https://www.passwordstore.org/

Ferret74462y ago

pass has issues: https://rot256.dev/post/pass/

This is very much a case of "don't invent your own cryptosystem", especially not in bash.

subsection1h2y ago

The author of that article wrote, "If you absolutely need the CLI interface, I do not really have any good recommendations for you." I think the existence of the (minor[1]) issues raised in that article are less annoying than having to use a GUI password manager (but I'm generally anti-GUI).

[1] https://news.ycombinator.com/item?id=34477901

aborsy2y ago

PGP has a kind of authentication called MDC which is kind of a MAC. Changes to ciphertext are detected.

The metadata leakage is not good from a privacy standpoint, but brings about much more important security benefits that are mentioned in the post. Using Gopass will hide metadata.

doodlesdev2y ago

Or gopass, if you need multiple stores/users

https://www.gopass.pw/

arepublicadoceu2y ago

For all the people recommending keepassxc and are also iOS users, how do you deal with the lack of reproducibility of iOS apps?

Even “opensource” apps such as strongbox and keepassium have no way of asserting that whatever code they publish on GitHub is the same that I’m installing through the AppStore.

Am I just overly paranoid?

This is the main hindrance for me to using KeePassXC everywhere. If I’m going to blindly trust anyone I prefer to trust apple keychain.

blitz2y ago

Self-hosted Bitwarden via Vaultwarden

archi422y ago

I was in the same boat as op: Didn't want to care about sync at all and use it on all my devices. Didn't want to rely on a third party. Vaultwarden solved that for me.

Like all services I self-host for personal use, it's only accessible via VPN.

JenrHywy2y ago

Bitwarden is also quite family friendly, both in that it's easy to use and you can share passwords with other people.

Hamuko2y ago

I use Secrets (https://outercorner.com/secrets-mac/) which syncs via iCloud. Definitely not perfect, especially if you're not heavily within the Apple ecosystem, but at least it's native and doesn't require a subscription.

evantbyrne2y ago

Do you have to pay separately for the mac and ios versions?

Hamuko2y ago

Yes.

If you want to save some money, it will give you an automatic 25% discount if you just wait around for some amount of days before buying the full version. Applies to both versions of the app.

connordoner2y ago

Is there a compelling reason to use this over iCloud Keychain?

Hamuko2y ago

Does iCloud Keychain really have support for anything other than Safari?

1 more reply

kennywinker2y ago

+1 for secrets. Simple, works.

alanfranz2y ago

Bitwarden can be self hosted. KeePass* you can sync with a separate service (eg Dropbox).

transpute2y ago

Codebook on iOS/macOS with local sync, almost 20 years old, indie dev, https://news.ycombinator.com/item?id=35804714

monlockandkey2y ago

Keeweb.info

Kepass kdb file compatible but can access through browser interface. Backup kdb file to cloud storage.

Don't like bitwarden. Keeping your encrypted password file in Google drive is much better and portable than self hosting on your own server.

rainytuesday2y ago

I like portable-secret which uses the built-in browser cryptographic functions, no external software.

https://github.com/mprimi/portable-secret

aborsy2y ago

The most secure option is probably Password Store with a PGP key on Yubikey, in my view.

There is also Passage, which is a similar offering, but I have problems with Yubikey PIV PIN caching (and prefer CV25519 to NIST curves).

egamirorrim2y ago

Enpass ftw, clients for all platforms, browser extensions and lets me backup to my own NAS/Dropbox/Gdrive

jiveturkey2y ago

define best. most secure? most usable? most portable? most other?

abbadadda2y ago

Thoughts on SafeInCloud? I just opt not to sync to the cloud.

alexaholic2y ago

iOS/Safari

spicyusername2y ago

KeepassXC synced with Google Drive.

friend_and_foe2y ago

Keepass and syncthing.

jmuncaster2y ago

1password no contest

grapesurgeon2y ago

initially started with dashlane, but it was such a pain in the ass that i never used it. when i started getting my shit together security-wise, i signed up for bitwarden then hosted vaultwarden for a little while. i have keepassxc with syncthing a shot and im probably going to stick with this setup.

i have very little confidence recommending anything other than bitwarden/vaultwarden or keepassxc

j / k navigate · click thread line to collapse

72 comments

mikece2y ago

For cloud-synched across devices: BitWarden.

For maximum security (no cloud sync): KeePassXC

In both cases an essential feature applies: if you forget your master password you've lost access to your password database.

autoexec2y ago

mikece2y ago

3 more replies

DreamFlasher2y ago

You could sync the KeePassXC database with Syncthing, to have e2e encrypted sync across devices, fully open source and without servers.

bhu1st2y ago

I feel safe using KeePass. Its hotkey auto-fills most of the time. You can regularly sync/backup the database to cloud.

hayst4ck2y ago

KeePass seems to sync via a preferred cloud provider fine.

mikece2y ago

You can sync a KeePassXC database using a provider like Google Drive/iCloud/Dropbox/etc but that's not a feature of KeePassXC, it's you doing semi-manual cloud synch.

number62y ago

Use Vaultwarden and self host the backend

palata2y ago

This ^

1 more reply

doodlesdev2y ago

So, please define best, because it depends on what you're looking for. A list of the options I know and would personally recommend:

Bitwarden (optionally with self-hosted Vaultwarden) - Best UX for the FOSS options, syncs all your devices, overall just pretty good.

   Website: https://bitwarden.com/
   Vaultwarden: https://github.com/dani-garcia/vaultwarden

   Desktop: https://keepassxc.org/
   Android: https://www.keepassdx.com/
   iOS: https://strongboxsafe.com/
   Syncthing: https://syncthing.net/

   pass: https://www.passwordstore.org/
   gopass: https://www.gopass.pw/

xarope2y ago

I'd echo what others say, KeePassXC on local storage, which you can then sync across devices either with syncthing, dropbox etc.

However, I have just started exploring using vaultwarden (a rust rewrite of bitwarden, which is self-hosted).

DreamFlasher2y ago

I am very happy with my vaultwarden setup, but if you don't run your own server, you don't want to, KeePassXC + syncthing is probably the best you can do.

zmmmmm2y ago

Unix pass [0]

[0] https://www.passwordstore.org/

zmmmmm2y ago

Fwiw, the biggest downside of it is multiple user functionality.

doodlesdev2y ago

For that you can go with gopass:

https://www.gopass.pw/

It has first-class support for multiple stores and it's 100% compatible with pass databases.

1 more reply

zdragnar2y ago

zmmmmm2y ago

I use it intensively on Mac and not had that problem.

Costanzilla2y ago

Back when 1password, 90% sure it was that, had no Linux client I was searching for a solution to store passwords and settled for Enpass.

I sync via WebDAV on my Synology NAS and I’m not really worried to lose anything since every synced device has a full copy of the data.

zapatos2y ago

Enpass is like Keepass but with a better UX. Which is exactly what I wanted, and it hasn’t let me down on iOS + Linux, synced via Dropbox.

egamirorrim2y ago

Yes! Enpass is great, and I love that I can back it up to my own cloud instead of being forced into one cloud like with 1password

thealchemistdev2y ago

https://keepassxc.org/

"no-nonsense, ad-free, tracker-free, and cloud-free manner. Free and open source."

Pair with Syncthing to go across devices.

billy_bitchtits2y ago

1password

CharlesW2y ago

xtiansimon2y ago

> “It's worth noting that they really fubared the 1Password 8 transition”

I’d never use 1Password again. While the software may be good when you try it, I’m sure they will ruin it at a later date. That was my experience. The company earned my enmity.

atmosx2y ago

This. Hands down.

The downside is that is cloud based.

hayst4ck2y ago

It's only a matter of time before 1Password has a real security problem because the business forces at 1Password appear to be much stronger than the engineering forces.

3 more replies

version_five2y ago

0x0082y ago

1password has a great UI imo. and they now support ssh keys as well (albeit a bit strangely, but at least they do).

tdsanchez2y ago

I came here to say this.

I've used 1password for 16 years and it is SOLID.

xupybd2y ago

I use KeePass. I sync with Dropbox. I've not found a solution that competes on simplicity and ease of use.

margoguryan2y ago

Dashlane has never failed me once since 2017. I even got my family to do the family plan. It rocks.

doublerebel2y ago

prezjordan2y ago

Only one that reliably auto-fills and saves generated passwords for me.

VoodooJuJu2y ago

pass, the standard unix password manager: https://www.passwordstore.org/

Ferret74462y ago

pass has issues: https://rot256.dev/post/pass/

This is very much a case of "don't invent your own cryptosystem", especially not in bash.

subsection1h2y ago

[1] https://news.ycombinator.com/item?id=34477901

aborsy2y ago

PGP has a kind of authentication called MDC which is kind of a MAC. Changes to ciphertext are detected.

The metadata leakage is not good from a privacy standpoint, but brings about much more important security benefits that are mentioned in the post. Using Gopass will hide metadata.

doodlesdev2y ago

Or gopass, if you need multiple stores/users

https://www.gopass.pw/

arepublicadoceu2y ago

For all the people recommending keepassxc and are also iOS users, how do you deal with the lack of reproducibility of iOS apps?

Even “opensource” apps such as strongbox and keepassium have no way of asserting that whatever code they publish on GitHub is the same that I’m installing through the AppStore.

Am I just overly paranoid?

This is the main hindrance for me to using KeePassXC everywhere. If I’m going to blindly trust anyone I prefer to trust apple keychain.

blitz2y ago

Self-hosted Bitwarden via Vaultwarden

archi422y ago

I was in the same boat as op: Didn't want to care about sync at all and use it on all my devices. Didn't want to rely on a third party. Vaultwarden solved that for me.

Like all services I self-host for personal use, it's only accessible via VPN.

JenrHywy2y ago

Bitwarden is also quite family friendly, both in that it's easy to use and you can share passwords with other people.

Hamuko2y ago

evantbyrne2y ago

Do you have to pay separately for the mac and ios versions?

Hamuko2y ago

Yes.

If you want to save some money, it will give you an automatic 25% discount if you just wait around for some amount of days before buying the full version. Applies to both versions of the app.

connordoner2y ago

Is there a compelling reason to use this over iCloud Keychain?

Hamuko2y ago

Does iCloud Keychain really have support for anything other than Safari?

1 more reply

kennywinker2y ago

+1 for secrets. Simple, works.

alanfranz2y ago

Bitwarden can be self hosted. KeePass* you can sync with a separate service (eg Dropbox).

transpute2y ago

Codebook on iOS/macOS with local sync, almost 20 years old, indie dev, https://news.ycombinator.com/item?id=35804714

monlockandkey2y ago

Keeweb.info

Kepass kdb file compatible but can access through browser interface. Backup kdb file to cloud storage.

Don't like bitwarden. Keeping your encrypted password file in Google drive is much better and portable than self hosting on your own server.

rainytuesday2y ago

I like portable-secret which uses the built-in browser cryptographic functions, no external software.

https://github.com/mprimi/portable-secret

aborsy2y ago

The most secure option is probably Password Store with a PGP key on Yubikey, in my view.

There is also Passage, which is a similar offering, but I have problems with Yubikey PIV PIN caching (and prefer CV25519 to NIST curves).

egamirorrim2y ago

Enpass ftw, clients for all platforms, browser extensions and lets me backup to my own NAS/Dropbox/Gdrive

jiveturkey2y ago

define best. most secure? most usable? most portable? most other?

abbadadda2y ago

Thoughts on SafeInCloud? I just opt not to sync to the cloud.

alexaholic2y ago

iOS/Safari

spicyusername2y ago

KeepassXC synced with Google Drive.

friend_and_foe2y ago

Keepass and syncthing.

jmuncaster2y ago

1password no contest

grapesurgeon2y ago

i have very little confidence recommending anything other than bitwarden/vaultwarden or keepassxc

j / k navigate · click thread line to collapse